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[57] ABSTRACT 

A number of electronic communications methods are 
described involving a first and a second party, with assis- 
tance from at least a trusted party, enabling electronic 
transactions in which the first party has a message for the 
second party. The first party, the second party and the trusted 
party undertake an exchange of transmissions, at least one of 
which occurs electronically and in an encrypted manner, 
such that if all transmissions reach their destinations the 
second party only receives the message if the first party 
receives at least one receipt. Preferably, the identity of the 
first party is temporarily withheld from the second party 
during the transaction. At least one receipt received to the 
first party enables the first party to prove the content of the 
message received by the second party. 

49 Claims, 1 Drawing Sheet 
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SIMULTANEOUS ELECTRONIC 
TRANSACTIONS WITH VISIBLE TRUSTED 
PARTIES 

RELATED APPLICATION 

This application is a continuation-in-part of prior copend- 
ing application Sen No. 08/408,551, filed Mar. 21, 1995. 

TECHNICAL FIELD 10 

The present invention relates generally to electronic com- 
merce and transactions and more particularly to techniques 
for enabling users to effect certified mail, contract signing 
and other electronic notarization functions. 15 

BACKGROUND OF THE INVENTION 

The value of many transactions depends crucially on their 
simultaneity. Indeed, simultaneity may be so important to 20 
certain financial transactions that entities often are willing to 
incur great inconvenience and expense to achieve iL For 
example, consider the situation where two parties have 
negotiated an important contract that they now intend to 
"close." Often, the parties find it necessary to sign the 25 
document simultaneously, and thus they meet in the same 
place to watch each other's actions. Another example is the 
process of certified mail, where ideally the sender of a 
message desires that the recipient get the message simulta- 
neously with the sender's obtaining a "receipt". A common 30 
certified mail procedure requires a person who delivers the 
mail to personally reach the recipient and obtain a signed 
acknowledgment when the message is delivered. This 
acknowledgment is then shipped to the sender. Again, this 
practice is costly and time consuming. Moreover, such 35 
acknowledgments do not indicate the content of the mes- 
sage. 

In recent years, the cost, efficiency and convenience of 
many transactions have been improved tremendously by the 4Q 
availability of electronic networks, such as computer, tele- 
phone, fax, broadcasting and others. Yet more recently, 
digital signatures and public-key encryption have added 
much needed security to these electronic networks, making 
such communication channels particularly suitable for 45 
financial transactions. Nevertheless, while electronic com- 
munications provide speed, they do not address simultaneity. 

The absence of simultaneity from electronic transactions 
severally limits electronic commerce. In particular, hereto- 
fore there has been no effective way of building so-called 50 
simultaneous electronic transactions ("SET's"). As used 
herein, a SET is an electronic transaction that is simulta- 
neous at least in a "logically equivalent" way, namely it is 
guaranteed that certain actions will take place if and only if 
certain other actions take place. One desirable SET would be 55 
certified mail, however, the prior art has not addressed this 
problem effectively. This can be seen by the following 
consideration of a hypothetical example, called ideal certi- 
fied mail or "ICM". 

In an ICM transaction, there is a sender, Alice, who 60 
wishes to deliver a given message to an intended recipient, 
Bob. This delivery should satisfy three main properties. 
First, Bob cannot refuse to receive the message. Second 
Alice gets a receipt for the message if and only if Bob gets 
the message. Third, Alice's receipt should not be "generic," 65 
but closely related to the message itself. Simultaneity is 
important in this transaction. For instance, Alice's message 
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could be an electronic payment to Bob, and it is desired that 
she obtains a simultaneous receipt if possible. 

Alice could try to get a receipt from Bob of a message m 
in the following way. Clearly, sending m to Bob in the clear 
as her first communication does not work. Should this 
message be her digital signature of an electronic payment, a 
malicious Bob may loose any interest in continuing the 
conversation so as to deprive Alice of her receipt. On the 
other hand, asking Bob to send first a "blind" receipt may not 
be acceptable to him. 

Another alternative is that Alice first sends Bob an 
encryption of m. Second, Bob sends Alice his digital sig- 
nature of this ciphertext as an "intermediate" receipt. Third, 
Alice sends him the decryption key. Fourth, Bob sends Alice 
a receipt for this key. Unfortunately, even this transaction is 
not secure, because Bob, after learning the message when 
receiving Alice's key, may refuse to send her any receipt 
(On the other hand, one cannot consider Bob's signature of 
the encrypted message as a valid receipt, because Alice may 
never send him the decryption key.) 

These problems do not disappear by simply adding a few 
more rounds of communication, typically consisting of 
"acknowledgments". Usually, such additional rounds make 
it more difiicult to see where the lack of simultaneity lies, but 
they do not solve the problems. 

Various cryptographic approaches exist in the literature 
that attempt to solve similar problems, but they are not 
satisfactory in many respects. Some of these methods appli- 
cable to multi-party scenarios propose use of verifiable 
secret sharing (see, for example, Chor et al), or multi-party 
protocols (as envisioned by Goldreich et al) for making 
simultaneous some specific transactions between parties. 
Unfortunately, these methods require a plurality of parties, 
the majority of which are honest. Thus, they do not envision 
simultaneous transactions involving only two parties. 
Indeed, if the majority of two parties are honest then both 
parties are honest, and thus simultaneity would not be a 
problem. Moreover, even in a multi-party situation, the 
complexity of these prior art methods and their amount and 
type of communication (typically, they use several rounds of 
broadcasting), make them generally impractical. 

Sophisticated cryptographic transactions between just two 
parties have been developed but these also are not simulta- 
neous. Indeed, if just two people send each other strings 
back and forth, and each one of them expects to compute his 
own result from this conversation, the first to obtain the 
desired result may stop all communications, thereby depriv- 
ing the other of his or her result Nonetheless, attempts at 
providing simultaneity for two-party transactions have been 
made, but by using assumptions or methods that are unsat- 
isfactory in various ways. 

For example, Blum describes transactions that include 
contract signing and certified mail and that relies on the two 
parties having roughly equal computing power or knowl- 
edge of algorithms. These assumptions, however, do not 
always hold and are hard to check or enforce anyway. In 
addition, others have discovered ways to attack this rather 
complex method. A similar approach to simultaneity has 
also been proposed by Even Goldreich and Lempel. In 
another Blum method for achieving simultaneous certified 
mail, Alice does not know whether she got a valid receipt. 
She must go to court to determine this, and this is undesir- 
able as well. 

A method of Luby et al allows two parties to exchange the 
decryption of two given ciphertexts in a special way, namely, 
for both parties the probability that one has to guess cor- 



12/14/04, EAST Version: 2.0.1.4 



5,553 

3 

rectly the clcartext of the other is slowly increased towards 
100%. This method, however, does not enable the parties to 
achieve guaranteed simultaneity if one party learns the 
cleartext of the other* s ciphertext with absolute certainty 
(e.g., by obtaining the decryption key); then he can deny the 5 
other a similar success. 

For this reasons several researchers have tried to make 
simultaneous two-party transactions via the help of one or 
more external entities, often referred to as "centers", "serv- 
ers" or "trustees", a notion that appears in a variety of 10 
cryptographic contexts (see, for instance, Needham and 
Schroder and Shamir). A method for simultaneous contract 
signing and other transactions involving one trustee (called 
a "judge") has been proposed by Ben-Or et al. Their method 
relies on an external entity only if one party acts dishonestly, 15 
but it does not provide guaranteed simultaneity. In that 
technique, an honest party is not guaranteed to have a signed 
contract, even with the help of the external entity. Ben-Or et 
al only guarantee that the probability that one party gets a 
signed contract while the other does not is small The smaller 20 
this probability, the more the parties must exchange mes- 
sages back and forth. In still another method, Rabin envi- 
sions transactions with the help of external party that is 
active at all times (even when no transaction is going on), 
but also this method does not provide guaranteed simulta- 25 
neity. 

The prior art also suggests abstractly that if one could 
construct a true simultaneous transaction (e.g., extended 
certified mail), then the solution thereto might also be useful 
for constructing other types of electronic transactions (e.g., 30 
contract signing). As noted above, however, the art lacks an 
adequate teaching of how to construct an adequate simul- 
taneous transaction. 

There has thus been a long-felt need in the art to overcome 
these and other problems associated with electronic trans- 
actions. 

BRIEF SUMMARY OF THE INVENTION 

It is an object of the invention to provide true simulta- 40 
neous electronic transactions. 

It is a further object of the invention to provide electronic 
transactions having guaranteed simultaneity in a two-party 
scenario with the assistance of a visible trustee^ party. 

It is another more specific object of the invention to 45 
provide ideal certified mail wherein the identity of the 
sender is temporarily withheld from the recipient during the 
transaction. 

It is still another object of the invention to provide a 50 
simultaneous electronic transaction wherein the recipient 
can prove the content of a message and a receipt provided to 
the sender proves the content of the message. 

These and other objects are provided in an electronic 
communications method between a first and a second party, 55 
with assistance from at least a trusted party, enabling an 
electronic transaction in which the first party has a message 
for the second party. A first method, called the sending 
receipt approach, begins by having the first party transmit to 
the trusted party a custom version of the message intelligible 60 
to the second party but not by the trusted party. In response, 
the method continues having the trusted party verify that the 
first party transmitted the custom version of the message and 
that the second party is the intended recipient thereof. The 
trusted party then transmits to the second party information 65 
from which the second party can retrieve the message. Then, 
the trusted party transmits to the first party a sending receipt 
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indicating that the message has been transmitted to the 
second party. At least one of the transmissions is carried out 
electronically. 

According to an alternative embodiment, called the return 
receipt approach, the method begins having the first party 
transmit to the trusted party a custom version of the message 
intelligible to the second party but not by the trusted party. 
In response, the method continues by having the trusted 
party verify that the first party transmitted the custom 
version of the message and that the second party is the 
intended recipient thereof. The trusted party then transmit to 
the second party first information which determines the 
message but retains the message and the identity of the first 
party hidden from the second party. A test is then done to 
determine whether within a given time the second party 
transmits to the trusted party a return receipt indicating that 
the second party received the transmission of the first 
information from the trusted party. If the second party 
transmits the return receipt to the trusted party, the method 
has the trusted party (i) transmit to the second party second 
information from which the second party, using the first and 
second information, can retrieve the message, and (ii) trans- 
mit to the first party a receipt that the second party has 
received the message. Again, at least one of the transmis- 
sions is carried out electronically. 

Many other electronic communications methods are 
described wherein the first party, the second party and the 
trusted party undertake an exchange of transmissions, at 
least one of which occurs electronically and in an encrypted 
manner, such that if all transmissions reach their destinations 
the second party only receives the message if the first party 
receives at least one receipt. At least one receipt received by 
the first party enables the first party to prove the content of 
the message received by the second party. 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the Present inven- 
tion and the advantages thereof, reference should be made to 
the following Detailed Description in conjunction with the 
accompanying drawings in which: 

FIG. 1 illustrates a preferred sending receipt method of 
the invention; and 

FIG. 2 illustrates a preferred return receipt method of the 
invention. 

DETAILED DESCRIPTION 

In each of the schemes described below, there is a user 
Alice and a user Bob. The trusted party may be a financial 
center that facilitates SETs among its customers, including 
Alice and Bob. For convenience, the following description 
shows how to make extended certified mail "simultaneous", 
although the invention is not so limited. In the context of an 
ICM system, the third party is called the Post Office. The 
inventive scheme is also preferable to ordinary certified mail 
because the message receipt also guarantees the content of 
the message. Also, the electronic transaction is faster, more 
informative and more convenient than traditional certified 
mail, and its cost should be substantially lower. 

In the preferred embodiment, an extended certified mail 
system is provided using a single "trusted" party. The system 
is implemented in a computer network, although it should be 
realized that telephone, fax, broadcast or other communica- 
tion networks may be used. Thus, without limitation, it is 
assumed that each user in the system has a computer capable 
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of sending and receiving messages to and from other com- 
puters via proper communication channels. 

Each user in the system has a unique identifier. Alice's 
identifier is denoted by A, and Bob's identifier is B. The 
identifier of the Post Office is denoted by PC. Users and the 5 
Post Office can digitally sign messages. Thus, each has a 
secret signing key and a matching public verification key. If 
m is a message (string), then SIG^(m) indicates Alice's 
signature of m. (It is assumed, for convenience, that m is 
always retrievable from its signature. This is the case for 10 
most signature schemes, and it is otherwise possible to 
consider a signed message as the pair consisting of the 
message and its signature.) 

Users and the Post Office can encrypt messages by means 
of a public-key encryption algorithm (e.g., RSA). Thus, each 15 
has a public encryption key and a corresponding secret 
decryption key. E^(m), E B (m), and E^m) denote, respec- 
tively, the encryption of a message m with the public key of 
Alice, Bob, and the Post Office. For simplicity, it is assumed 
that these schemes are secure in the sense that each of E A , 20 
E B , and E PO appear to behave as a random function. The 
system can be suitably modified if these functions are much 
less secure. 

Again, for simplicity these encryption algorithms are 
deterministic and uniquely decodable. Thus, given a value y 25 
and a message m, all can verify whether y is the encryption 
of m with, for example, the Post Office's key, by checking 
whether E PO (m) equals y. (If the encryption scheme is 
probabilistic, then one may convince another that a string y 
is an encryption of a message m by providing m together 30 
with the random bits that were used to encrypt m.) (It may 
also be possible to use encryption algorithms that are not 
uniquely decodable, for instance, if it is hard to decrypt a 
given ciphertext in two different ways.) For simplicity, if 
public key encryption algorithms are use, messages are 35 
encrypted directly with a public-key algorithm, however, 
one could first encrypt a message conventionally with some 
key k, and then encrypt k with a public-key algorithm. 
(Thus, to decrypt m, one need only just decrypt k). Indeed, 
private key encryption algorithms could be used throughout. 40 

According to the invention, it is desired to devise practical 
ICM methods, involving more visible trustees, that (1) 
produce receipts closely tied to the content of the mail, (2) 
hide (at least temporarily) the identity of senders from the 
recipients, and (3) can be implemented in a pure electronic 45 
manner (at least, as long as senders and recipients behave 
properly). 

The Sending-Receipt Method 

To describe the various methods of the present invention, 
assume there are senders, receivers and post offices. It 50 
should be clear, however, that each of these may be any 
entity, such as a person, a person's representative, a physical 
device (in particular, a tamper-proof device) or a collection 
of people and/or physical devices. For example, the Post 
Office could be a tamper-proof device located in a device or 55 
facility belonging to Alice and/or Bob. 

Also, in the preferred embodiments, Alice, Bob, and the 
Post Office all have public encryption keys and matching 
secret decryption keys (e.g., like in the RSA algorithm), that 
their cryptosystems behave like random functions, and that 60 
they can digitally sign messages (preferably by an algorithm 
different than their encryption one). An encryption of a 
string s with the public key of Alice, Bob, and the Post Office 
will be denoted, respectively, as E A (s), E*(S), E^s). The 
digital signature of a string s by Alice, Bob, and the Post 65 
Office will, respectively, be denoted by SIG 4 (s), SIG^s), 
and SIGp 0 (s). (It is understood that messages can be one- 
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way hashed prior to being signed, together with other 
valuable information, such as recipient, time, transaction 
type, sender and recipient, etc.) Identifiers for Alice, Bob, 
and the Post Office will, respectively, be denoted by A, B, 
and PO. 

In the present invention, a customization step is used by 
Alice to identify (usually to the Post Office) herself as the 
sender and Bob the (ultimate) recipient of some string s 
(usually a message m encrypted with Bob's public encryp- 
tion key). This step prevents cheating. In particular, it 
prevents an enemy from sending to Bob the same message 
Alice does and in a certified manner Any customization step 
is in the scope of the present invention. A simple such step 
consists of having Alice send the Post Office a value 
z=E PO (A, B, E B (m)). Indeed, should the Post Onice receive 
from some user X other than Alice the value z, upon 
decrypting it with its secret decryption key, it will compute 
(A, B, E^(m)) and thus realize that there is a problem with 
the identity of the sender. 

The above customization works well if the encryption 
function behaves as a random function. Alternative and 
more sophisticated customizations, all within the scope of 
the invention, are also possible. For instance, Alice may send 
the Post Office v=E PO (SIG^ICM, B, E B (m))), where the 
identifier ICM signifies that z is part of an electronic certified 
mail transaction. Such identifiers may be dismissed, particu- 
larly if standard formats are adopted for ICM transactions. 
As another example, Alice may achieve customization by 
using identifiers and her digital signature both outside and 
inside the Post Office's encryption layer: z=SIG >l (A, B, 
E f0 (SIG A (A, B, E fi (m)))). In some contexts (e.g., but with- 
out limitation, when the communications channel is believed 
to be secure), it may suffice to use a customization where the 
identity of the sender and the message are sent separately, 
whether or not signed together (e.g., (B, E fi (m)) or SIG A (B, 
E*(m))). 

The basic electronic certified mail system with a visible 
party is now described. At least one transmission in the 
method below (and preferably all) are electronic, where by 
"electronic" we mean any non-physical delivery, including, 
without limitation, transmissions via telephones, computer 
networks, radio, broadcasting, air waves, and the like. 

THE BASIC METHOD 

Al (Sender Step): Let m be the message that Alice desires 
to send Bob by certified mail. Then Alice sends to the Post 
Office a customized version of m that is intelligible by 
Bob, but not by the Post Office. (E.g., she sends the value 
z=E PO (A, B, E fl (m)). 

Preferably, Alice's communication is digitally signed and 
indicates, in a standard manner, that it should be delivered 
certified to Bob. (E.g., using an alternative customization 
step, just for illustration purposes, she sends z=E PO 
(SIG^dCM, B, E*(m))), or E PO (SIG^fB, E*(m))).) It is 
also preferable that Alice specifies additional valuable 
information, such as time information and information 
easily alerting the Post Office that her transmission is part 
of an ICM transaction. 
P01 (Post Office Step): After receiving Alice's transmission, 
the Post Office preferably uses the customization step to 
verify that Alice is the sender and Bob the intended 
recipient of this piece of electronic certified mail. If this 
is the case, then it sends to Bob information enabling him 
to retrieve Alice's message, preferably using digital sig- 
natures, and indicating to him but hiding from others that 
it is a piece of ICM from Alice to him, (E.g., it sends 
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y=E B (SIG / , 0 aCM, A, B, E fl (m))), or ICM, y, so that Bob 
it is more easily alerted that he is dealing with an ICM 
transaction). 

If Alice has made use of digital signatures (e.g., if she has 
signed E B (m) or a value comprising it in Step Al ), then 5 
it is preferable that these signatures are also forwarded to 
Bob. (E.g., if Alice sent the Post Office the value SIG A 
(E fl (m)) as part of her Step Al, then the Post Office may 
send E B (SIG^CICM, A, B, SIG A (E B (m)))) to Bob in this 
step.) 10 
In addition, the Post Office also sends Alice her receipt. 
Preferably this involves a digital signature that it has sent 
Alice's message to Bob in a way intelligible to him. Such 
a receipt preferably also indicates other valuable infor- 
mation, such as the time, T, when this was done. (E.g., it 15 
sends Alice E A (SIG PO (ICM, A, B, T, E fl (m))).) 
The Post Office of the Sending-Receipt Method is visible 
because it takes part to the transaction whether or not Alice 
and Bob behave honestly. It should be understood that each 
party to the transaction (whether the Sending Receipt 20 
method or the Return Receipt method or other methods of 
the invention) may participate in the transaction via a 
representative. In such case, for instance, Alice may be 
identified with a representative. Alternatively,, it should be 
understood that a party may only be partially-identified with 25 
his own representative. For instance, the message may be 
sent to Bob's representative but be intelligible only to Bob 
himself. 

The Post Office is not trusted with the knowledge of 
Alice's (cleartext) message to Bob; indeed, it cannot under- 30 
stand m. It is trusted, instead, to perform a proper delivery, 
which makes the Sending-Receipt Method a (logically) 
simultaneous transaction; indeed, Alice gets Bob's receipt if 
and only if Bob gets information from which he can retrieve 
Alice's message. The simultaneity of the transaction is not 35 
affected by the order in which the Post Office sends the 
encrypted message to Bob and the receipt to Alice. What 
matters is that it sends both of them or none, or that 
functionally equivalent steps are taken to preserve simulta- 
neity. 40 

Alice's receipt certifies that her message was properly 
sent to Bob, but not the fact that Bob actually received it. 
The Post Office is indeed trusted with properly sending 
messages and this can be construed to include that these 
messages sent by the Post Office reach their destinations. 45 
But receiving a piece of mail (i.e. having a letter deposited 
in the right mailbox or having an electronic message reach 
the right computer) may not mean that the recipient is aware 
of the delivery. It is this awareness that is necessary in many 
scenarios, such as many legal applications. This is why the 50 
present method is called a sending-receipt method. The 
method thus is the electronic equivalent of traditional cer- 
tified mail, without return receipt. 

The electronic nature of the method, however, requires 
some special care, such as a proper customization step. 55 
Indeed, in traditional electronic mail, it is easy to achieve 
that an enemy cannot send to Bob the same message Alice 
does, because, if he does not know this message a priori, he 
is prevented from copying by the envelope containing it. 
E fi (m), however, is a kind of envelope that prevents under- 60 
standing m, but can be copied. Indeed, if Alice sends E B (m) 
to Bob without customization and an enemy intercepts her 
transmission, he may easily send the same ciphertext E B (m) 
to Bob (by certified mail or not), creating various potential 
problems. This has been a recognized problem in cryptog- 65 
raphy in different contexts. Notice that having Alice just sign 
E B {m)) does not solve the problem. Indeed, an enemy X who 



captures SIG A (E 5 (m)), easily learns the value E s (m) 
(because signatures generally guarantee the message, but do 
not hide it), and can then easily sign it himself, that, send 
(SIG Jtf (E fi (m)) as part of his own ICM transaction. 

In the present invention, encryption of the message m 
with a key associated to a party X, E^m), should be broadly 
construed to include any information that enables X (and 
only X) to retrieve the message E B (m) (or a string m, 
preferably encrypted in a way understood by Bob alone). For 
instance, E*(m) may consist of the encryption with a key 
associated with X of another key with which the message m 
has already been encrypted. (This other encryption of m may 
already be in possession of X, or sent separately to X, or 
publicly-known, or otherwise knowable by X). 

The electronic sending-receipt method is more than 
equivalent to traditional certified mail (without return 
receipt). Indeed, if digital signatures are properly used as 
exemplified above, not only does Bob learn (and can prove) 
Alice's identity and get Alice's message, he can also prove 
to third parties what this message is. For instance, if the Post 
Office (in Step POl), sends him the value v=SIG />0 (E fi (A, B, 
E B (m))), if Bob hands out v and m to a third party, the latter 
can compute u=E fl (m) by means of Bob's public encryption 
key, and then (again due to Bob's public encryption key) the 
value s=E B (A, B, u), and, finally he can verify whether v is 
the Post Office's digital signature of s. If the Post Office is 
trusted with respect to deliver just what it is supposed to, 
then this is sufficient proof that Bob got m from Alice via 
ICM. Indeed, Alice's message can be defined to be whatever 
string x can, when encrypted with Bob's key, yields the 
value E fl (m). If such x is non-sensical, then Alice sent Bob 
a non-sensical message. This convention prevents Bob from 
claiming that he did not really get Alice's message in this 
way. 

Should one prefer to trust the Post Office even less, and 
still enable Bob to prove which message he got from Alice, 
it suffices, for instance, that Alice makes use of digital 
signatures; e.g., she sends z=E / , 0 (SIG^(ICM, B, E B (m))) in 
Step Al, and the Post Office sends SIG^ICM, B, E B (m)) — 
preferably further signed and encrypted— to Bob in Step 
POl. This way, by revealing m, Bob can prove via Alice's 
signature that she indeed sent him m by extended certified 
mail. 

The electronic sending-receipt method is superior to tra- 
ditional certified mail in another respect. Alice's receipt 
needs not to be a generic one, but enables her to prove the 
exact content of the message she sent Bob. In fact, if her 
receipt consists of the Post Office's digital signature that it 
has sent z=E PO (A, B, E fi (m)) to Bob, by revealing m she 
enables anyone to compute v=E B (m) from Bob's public 
encryption key, and thus E PO (A, B, v) from the Post Office's 
public encryption key, so as to verify that the result is indeed 
z, the value signed by the Post Office. 

The ICM is superior to other electronic methods for 
certified mail in many respects. In particular, simultaneity is 
guaranteed, rather than being just highly probable. More- 
over, since the Post Office provides Alice with her receipt, 
Bob cannot decide whether or not to accept a message from 
her based on the sender's identity. 

It is recommended that each transmission occur within the 
encryption layer of its immediate recipient. (E.g., in Step Al, 
it is preferable that Alice sends E PO (S\G A (ICM, B, E fl (m))) 
rather than SIG A (ICM, B, E B (m)).) Among other things, 
this way of transmitting denies an enemy monitoring such 
transmissions valuable information, such as sender-receiver 
information. That is, if an enemy learns E B (SIG PO (ICM, a, 
B, E fl (m))), the transmission of the Post Office to Bob of 
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Step POl, and it further knows that this value was travelling 
from the Post Office to Bob, it may deduce that Bob is the 
recipient of a piece of certified mail, but it may not easily 
learn that the sender was Alice because this piece of data is 
protected under Bob's encryption key. Indeed, the Post 5 
Office may make this harder by processing its POl steps 
relative to different senders and recipients in a different 
order. If at every time interval there are sufficiently many 
senders, this will confuse the enemy even more. In addition, 
the Post Office may arrange for dummy transmissions, so as 
to have sender traffic that always looks reasonably busy. This 
enables it to process real and fake sending request in an 
interwoven order without creating any delays. If desired, 
however, most recipient-encryption protections could be 
dispensed with. 

Finally, the reference to m as the message Alice wants to 15 
send to Bob should be broadly construed to mean any 
message that Alice has for Bob, including a message that is 
chosen before the transaction, but arises or is implicitly 
defined by the transaction. 

VARIANTS AND IMPROVEMENTS. Many variants of 20 
the above and following methods are applicable and within 
the scope of the invention. In particular, customization may 
be dismissed all together or achieved by means of other 
electronically transmissible methods. The sender's identity 
may be used for customization purposes, but hidden from 25 
the recipient in some applications. Alice's message may not 
be hidden from the Post Office. (E.g., if this is a machine, or 
consists of a collection of individuals, many of which must 
cooperate to learn the message). Also, digital signatures 
should be broadly construed to include any form of elec- 
tronically transmissible guarantees. Conventional encryp- 30 
tions may be used in alternative or in conjunction with 
public-key one. A higher level of interaction may be adopted 
in our methods (e.g., if one wishes to get additional valuable 
benefits, such as zero-knowledge). In particular, each of our 
Steps can be realized by means of more rounds of commu- 35 
nications. lime information may be included in some or all 
of the transmissions, each party may be a multiplicity of 
parties, and so on. 

Proper use of time information may be important. For 
instance, assume Alice specifies (preferably in an untamper- 40 
able way) to the Post Office the time in which her string was 
sent. If the Post Office receives it too late (or too early), it 
may not send any communication to Bob nor any receipt to 
Alice. (Indeed, if the certified message from Alice to Bob is 
an order to buy stock that day, Bob may not be responsible 45 
for failing to obey the order if he got it unreasonably late.) 
Alternatively, the Post Office may specify in its communi- 
cation to Bob the time when this was sent, preferably in a 
digitally signed manner, so that, among other things, Bob 
may in many contexts prove that he got Alice's message too 50 
late. The Post Office may also deny Alice her receipt if her 
Al transmission arrives too late, or it may issue her a 
properly "time-stamped" receipt, but such receipt may be 
deemed void for certain purposes if some of the time 
information indicated is deemed to be too late. 55 

Multiplicities of parties may also be quite useful. For 
instance, Alice may deal with two or more Post Offices for 
delivering the same message to Bob. In this case, having two 
independent receipts for the same message constitutes a 
much greater evidence that at least one of the Post Offices 60 
has properly sent the message to Bob. 

Alternatively, Alice may conveniently deal with a single 
Post Office, but this is an entity comprising or coordinating 
several agents. Such an entity may give Alice's communi- 
cation to two or more of its agents, and these will send 65 
Alice's message to Bob in the proper manner, generating the 
proper receipts. These receipts may then be given by the 



agents to Alice directly, or to the (or some other) entity, who 
then will give them (or sufficiently many of them, or a 
consolidated version of some of them) to Alice. 

It is also useful that the Post Office agents possess pieces 
of a secret key of the Post Office. In this case one may wish 
that they collaborate for decrypting some communications 
sent to the Post Office in an encrypted manner. If some of 
these communications are intended for someone else (e.g., if 
one such communication consists of or includes E B (m) 
encrypted with the Post Office' key), then the Post Office's 
agents may enable directly the recipient to decrypt the 
communication (e.g., they may enable only Bob to recon- 
struct E fl (m)). This may be achieved, for instance, by a 
proper use of Threshold cryptosystems. Indeed, if single 
agents are incapable of understanding messages encrypted 
with the Post Office's key, it may be unnecessary for Alice 
to first encrypt her message m to Bob with Bob's key. She 
may directly encrypt m with such a multi-party controlled 
key of the Post Office, the agents of the Post Office will then 
enable Bob to decrypt m, while the agents and/or the Post 
Office will give Alice a proper receipt. A single or suffi- 
ciently few agents of the Post Office will not, however, be 
able to understand m. 

Another improvement is the following. In the Sending- 
Receipt Method Bob may claim that he did not "really" 
receive Alice's message because he lost his decryption key. 
To solve this problem, the Post Office may perform the 
Return Mail Service only for those users who guarantee to 
back up their secret decryption keys in a deemed acceptable 
way; so that, for instance, such a Bob may not use his having 
lost his secret key as a defense against an unwanted piece of 
certified mail. For example, to be eligible to receive a piece 
of ICM, it can be required that Bob performs (or that he has 
have already performed) a given key-escrow procedure 
relative to his keys used for electronic certified mail pur- 
poses. This way, Bob may always be capable of retrieving 
his secret key. 

To create further incentive for Bob to undergo this key- 
escrow step, it may be stipulated that a user cannot be a 
sender of an ICM system, unless he also is a potential 
receiver with a properly backed up key. In any case, the Post 
Office (or a court if and when it is invoked) may regard Bob 
as a legitimate receiver if he had given a suitable and timely 
indication that he accepts a given key of his to be used for 
ICM purposes. 

Alternatively, Bob may be regarded to be a legitimate 
recipient of a piece of ICM by the mere fact that a key of his 
is known to be suitably backed up (e.g., by an approved 
key-escrow method), and it was this key of his to be used as 
the recipient-key in a ICM transaction. The fact that Bob has 
elected a key of his to be usable as a recipient-key for ICM 
purposes, of the fact that a key of his is suitably backed up, 
may, for instance, be part of a certificate of this key (e.g., of 
the certificate showing that this key belongs to Bob). Alter- 
natively, Bob may coincide for ICM purposes with a plu- 
rality of entities each having a piece of "his" decryption key, 
so that sufficiently many of these entities may recovery any 
message encrypted with Bob's encryption key. Thus, the 
Post Office may communicate with each or sufficiently- 
many of these entities. 

Alternatively, if, as described above, the Post Office has 
several agents so as to offer a service based on a type of 
threshold cryptosystem and messages are not further 
encrypted with a recipient key, there is no worry that the 
recipient may lose his key. Indeed, it will be the Post Office 
who will enable him to get his message from Alice. Notice 
also that a weaker customization of Alice's message to Bob 
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may be realized within Bob's encryption layer, or even 
solely within this layer. 

For instance, Alice may send to the Post Office z=E />0 (w), 
where w=E B (A, B, m) (or w=E B (SIG^ (m))), just to give 
an example of an alternative customization in this setting. In 5 
this setting, the message received by Bob is conventionally 
declared to be m only if w is an encryption of (A, B, m), that 
is, if it identifies in some standard way Alice as the sender 
and Bob as the recipient. For instance, if Bob is a stock- 
broker and m a purchaser order of a given stock, if v does 10 
not consist of A, B, m, Bob is not obliged to buy that stock. 
This way of proceeding facilitates the job of the Post Office 
(for instance because it may not be asked to check any 
customization) and still offers valuable protection, 
The Return-Receipt Method 15 

Despite its utility, the Sending-Receipt Method suffers 
from the following problem: Bob may never receive (or 
claim not to have received) Alice's (cleartext) message, not 
because he lost (or claims to have lost) his decryption key, 
but because he never got (or claims to have not gotten) any 20 
communication from the Post Office. For instance, if a 
computer network is used for communicating during an ICM 
transaction, a failure may occur or may claimed to have 
occurred. 

To solve such problems, the Sending-Receipt Method is 25 
augmented as follows. After receiving the communication of 
Step POl, Bob may be asked or required to send a proper 
receipt back. This receipt may be sent to the Post Office (or 
directly to Alice, since at that point Bob may have already 
learned Alice's identity). Such receipt, if obtained, simplifies 30 
matters a great deal, and offers much greater guarantees to 
everyone involved. Upon receiving it, the Post Office may 
store it, or send it to Alice as an additional receipt, or issue 
to Alice an equivalent additional receipt. 

Alternatively, the Post Office may withhold Alice's 35 
receipt of Step POl, and give it to her only if Bob does not 
produce any receipt for the Post Office's POl transmission 
to him. Moreover, if Bob does not produce a receipt, the Post 
Office may take some of the actions described below that 
enable it to obtain a receipt from Bob in some other manner 40 
or enable it to produce a suitable affidavit (e.g., that Bob 
willingly refused Alice's message). It is expected that Bob 
will readily acknowledge the Post Office POl transmission 
most of the times. Indeed, he knows that Alice gets a 
sending-receipt anyway, and that the Post Office will obtain 45 
a receipt from him (or issue a suitable affidavit) anyway. 

Moreover, it can be arranged that eligible recipients in the 
ICM systems can incur additional charges if alternative 
actions to obtain a receipt from them are taken. 

In the method just described, Bob is required to produce 50 
a receipt after he learns Alice's message, and her identifier 
if so wanted. The return-receipt method below, instead, 
elicits a receipt from Bob before he knows the message or 
the sender's identity. Nonetheless, the new receipt may still 
be used, if desired, to prove to third parties the content of 55 
Alice's message. In describing the preferred embodiment of 
the new return-receipt method, the same computational 
framework of the Sending-Receipt Method is assumed. In 
fact, the first step is identical to that of die Sending-Receipt 
Method. " 60 

THE RETURN-RECEIPT METHOD 

Al (Sender Step): Let m be the message that Alice wishes 
to send to Bob in a certified manner. Then she sends the 65 
Post Office an encrypted version of m intelligible by Bob 
but not by the Post Office. 
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Her transmission is preferably customized, signed, and 
indicates that it is part of an ICM transaction together with 
other valuable information, such as the transmission time. 
(E.g., she send z=E^ (SIG A (ICM, A, B, T, E B (m))).) 
POl (Post Office Step): The Post Office verifies who is the 
sender and who is the intended recipient, and. 
It send Bob information that determines his message 
without making it yet intelligible to him. 
In so doing the Post Office preferably hides Alice's 
identify, alerts Bob that he is dealing with an ICM 
transaction, and makes use of digital signatures. (E.g., it 
sends Bob y=E PO (SlG PO (ICM, recipient: B, z)) or ICM, 
SIG W (B B (B, 2))). 

It also sends Alice a guarantee that it has done so. 
Preferably, in so doing it also specifies other valuable 
information, such as time informationT. (E.g., it sends 
Alice the value x=E A (SIG^z, T).) 
Bl (Recipient Step): Bob sends the Post Office a receipt that 
he got the above transmission. (Eg., he sends E PO (w), 
where w=SIG^ (recipient, z)). 

Possibly, Bob' s receipt also indicates other valuable infor- 
mation. 

P02 (Post Office Step): If Bob sends back the proper receipt 
within a specified amount of time, then the Post Office 

1 . sends Alice a suitable receipt; for instance, EA (w), and 

2. sends Bob information that enables him to reconstruct 
Alice's message (e.g., E B (m)). 

If Alice has signed her transmission to the Post Office 
in Step Al (e.g., she has sent the value z envisaged 
above), then it is preferable that the Post Office also 
enables Bob to guarantee the content of the message 
(e.g., it send Bob SIG A (ICM, A, B, T, E B (m))). 
If Bob does not send back the proper receipt to the Post 
Office within a given amount of time, then the Post Office 
may either do nothing (in which case the only form of 
receipt in Alice's possession is what she has received from 
the Post Office in Step POl); or inform Alice that it has 
received no receipt from Bob; or make a record that no 
receipt has been sent by Bob; or 

P03 takes action to deliver Alice's message to Bob in a way 
that is guaranteed to produce a return-receipt (E.g., it 
delivers the message to Bob by means of traditional 
certified mail). The thus obtained return-receipt (or an 
affidavit that Bob refused willingly the mail) is then sent 
to Alice. 

The above ICM transaction is a (logically) simultaneous 
one, and one that hides the identity of sender for as long as 
necessary. 

The same variants and modifications for the Sending- 
Receipt Method can also be applied to the above method. 
Other variants may also be applied. In particular, the send- 
ing-receipt given by the Post Office to Alice in step POl may 
never be sent (e.g., because it may become irrelevant once 
Alice gets a return-receipt), or sent only if Bob does not 
produce a return-receipt fast enough. Also, the Post Office 
may receive a transmission from Alice before it performs its 
P02 step. For instance, if Alice sends E A E B (m) in step Al, 
she is required to remove her encryption layer before step 
PO). 

If Bob receives the value z sent to him by the Post Office 
and properly acknowledges it (i.e., if all involved— includ- 
ing the communication network— behave properly), the 
Return-Receipt Method is most efficient, convenient and 
economical, since, in particular, it can be implemented in a 
pure electronic manner. In the Return-Receipt Method, Bob 
has even more incentives to produce his receipt than in the 
above modification of the Sending-Receipt Method. Indeed, 
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for instance, while Alice may get a proper sending-receipt 
anyway that can prove the content of her message to him, if 
Bob refused to issue his better receipt, he will not even read 
the cleartext message, nor learn the sender's identity. Thus, 
while Alice already has a good form of receipt, by refusing 5 
to collaborate he has absolute nothing! 

Despite the fact that Bob will almost always produce his 
receipts, the following are some practical ways to implement 
Step P03. Here, the Post Office aims at delivering m to Bob 
in exchange for a receipt. Because the Post Office will not in 
general know m, it suffices that it delivers E B (m) t or a string 
encompassing it. Without intending any restrictions, assume 
that the Post Office aims in Step P03 at delivering the value 
v=E PO (SIG A (ICM, A, B, T, E B (m))), envisaged in Step Al 
and sent in digital form via a computer network. 

To begin with, as discussed the delivery of z may occur by 15 
some version of traditional certified mail. For instance, the 
Post Office may print z on paper and then traditionally 
certified-mail deliver it to Bob, via a "mailman" which may 
or may not work for the Post Office (e.g., he may belong to 
UPS, Federal Express or other agency). The return-receipt 20 
obtained this way does not guarantee the content of the 
message, however, it may guarantee it in an indirect, yet 
adequate, way. For instance, it can be used in conjunction 
with a proper receipt of the Post Office (e.g., a digital 
signature of z sent to Alice in Step POl) to provide evidence 25 
of the message actually delivered to Bob. 

This format of z may be inconvenient, and thus create an 
extra incentive for Bob to issue a receipt in Step Bl. 
Nonetheless, even this format of z may enable Bob to 
recover ra: for instance, he may scan it (with character 30 
recognition) and then to put it into digital form prior to 
decrypting. 

More conveniently, the Post Office may store z in a 
computer diskette and have it delivered in person to Bob. 
This form of delivery enables Bob to produce a return- 35 
receipt that guarantees directly the content. Indeed, upon 
being physically given the diskette, Bob may easily retrieve 
z from it and digitally sign it. This signature may then be 
given back to the mailman in the same diskette or in a 
different diskette. The mailman may indeed carry with him 40 
a device capable of checking Bob's signature. (TTiis is quite 
feasible also because for signature checking such a device 
needs not to have access to any special secret). 

Since Bob would be reading the message prior to signing 
it, it may be preferable to elicit first from Bob an ordinary 45 
generic receipt prior to giving him the diskette (in any case, 
the mailman can sign an affidavit that Bob accepted the 
diskette). 

Alternatively, the diskette may contain not z, from which 
Bob may retrieve easily Alice's message, but information 50 
that pins down the message but does not yet reveal the 
message to Bob. For instance, the same value y=E / , 0 (SlG PO 
(ICM, recipient: B, z)) that we have envisaged the Post 
Office to send Bob in Step POl. Only after Bob digitally 
signs y will the mailman enable Bob to retrieve Alice's 55 
message. For instance, the device carried by the mailman 
(preferably in a tamper-proof portion) may release a secret 
key by which Bob can remove the Post Office encryption 
layer. Alternatively, this key (or the right decryption, or 
information sufficient to decrypt anyway) can be sent, upon 60 
a proper signal, to the mailman, his device, or Bob directly 
by a variety of means (e.g., by phone, radio, etc.). 

It should be understood that the present invention can be 
used to achieve additional properties, so as to yield other 
electronic transactions or make simultaneous other elec- 65 
tronic transactions. For instance, the present ICM methods 
may be used to simultaneously sign contracts. 



As for another example, it should also be appreciated that 
the ICM methods also yield very effective auctions methods 
with many bidding procedures (e.g., "public" or "secret" 
biddings). Indeed, Alice may be a bidder, Bob an entity 
handling the bids (e.g., deciding who are the winners of the 
auction, what goods are sold for what prices, how many 
units of a given good should be assigned to each bidder, and 
so on), and the message m for Alice to Bob is Alice's bid. 
Alice wishes to place her bid in return of a proper receipt, 
preferably one that can be used to prove (among other 
information, such as time information) the exact value of her 
bid. This way, if necessary, she can contest the "victory" of 
someone else. By means of our envisaged mechanisms for 
ICMs (in particular, of time information, encryption, and 
signatures), we can implement auctions in many different 
ways. Without any limitation intended, let us illustrate two 
possible implementations of two simple-minded auctions: 
one where the bidding process is "public" and one where it 
is "secret." 

Consider first the following example of public bidding 
(which may occur, for instance, in a computer network). 
Assume there is a single indivisible good for sale in the 
auction, which will be assigned by a process combining both 
price and time. For making things cleaner, let us assume that 
there is a sequence of times T lt T 2i . . . and T„T 2 , . . . where 
T,^T f (E.g., T>T f +A, where A is a fixed quantity.) A bidder 
gets the goods for a price P if there is an index I such that 
she has offered a price P within time T, and no higher price 
has been offered by time T,. (It is thus advisable that T\ be 
greater than T,, so that there is sufficient time to process all 
bids properly.) 

The current status of the bid can be made available (e.g., 
by Bob), so that the bidders know what the hightest offered 
price, P, at the "current" time, T, is. If Alice is willing to raise 
the price, she must do so before it is too late. Since her bid 
consists of her message to Bob, and it is assumed that the 
Sending-Receipt Method is in use, Alice then sends here bid 
to the Post Office in Step Al. If this transmission arrives 
within a useful time (i.e., before some time T), the Post 
Office issues her a receipt with an indication of the proper 
time (interval), and then forwards her bid to Bob. Bob then 
processes the binds relative to the next time interval (e.g. 
announces the new highest price, or that the auction is over 
because no one offered more than the previous highest 
price). 

As can be seen, the Post office may in this application be 
an entity cooperating with Bob, even for only auction 
purposes. Nonetheless, it may be preferable that it be made 
sufficiently independent from Bob. For instance, though 
prices are meant to be public, it is useful that bids are 
encrypted with Bob's key, so that the Post office will not 
know the content of a bid when it issues a receipt. Thus, in 
particular, it cannot be blamed to have refused to issue a 
receipt (e.g., by claiming that it had arrived too late) in order 
to favor a particular bidder. On the other hand, Bob, though 
capable to read the bids, is held back from cheating by the 
fact that the bidders have been issued valid and very 
informative receipts. 

The system can be further enhanced so that the identity of 
the bidder is not revealed to Bob (at least as long as the 
auction is going on), but, say, only the price and time 
information. Also, at each time (interval), rather than mak- 
ing available just the new highest bid/price, Bob may make 
available all incoming (legitimate) bids, so that the volume 
of bidding is also learned by the bidders. Also, rather than 
processing the incoming bids in batches and in time inter- 
vals, Bob may process them one at a time (preferably in the 
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order they got in) and with individual times. (E.g., he may 
still announce only the currently highest bid with its own 
individual time T, and when a bid with price P and time T 
is announced, and no higher price than P is offered before 
time T+A then the auction is over.) Again, return receipt may 5 
also be used in this application. 

It should also be noted that if Alice has sent her bid in a 
very timely fashion and has not received any timely receipt 
within a certain time, then she may still time to take 
additional steps to ensure that her bid is properly delivered. 
Again, having two or more Post Offices, or Post Offices 
comprising a plurality of agents, may be very useful here 
because this enhance her chance of getting at least one valid 
receipt. 

In particular the Post Office agents may be implementing 
a threshold cryptosystem. A plurality of Post Offices or 15 
multi-agent Post Offices may also benefit Bob, because he is 
better guaranteed that each bid will be properly forwarded to 
him. There may also be more than one Bob, and (each) Bob 
too may comprise several agents. It should be appreciated 
that if there are a multiplicity of agents involved it is also 20 
possible that Bob and the Post Office coincide, that is, that 
they simply are names for different functions performed by 
the same auctioning entity. 

Notice also that the ICM methods may immediately 
accommodate secret bidding mechanism. Indeed, any of the 25 
methods above may be used for this purpose. For instance, 
consider batch-processing of bids when there is a single time 
interval T and a single, disjoint and subsequent time interval 
T\ Then the Post Offices issues receipts only for those bids 
received during T, and forwards all these bids to Bob, but 
only during T. This way, no bid can be learned before the 30 
right time, unless there is an illegitimate cooperation 
between Bob and the Post Office (or sufficiently many 
agents). In all these scenarios, customization is quite useful 
since it also prevents that an enemy can copy Alice's bid so 
as to be guaranteed that he will win the auction if she does. 35 

Finally, it should be noticed that the methods extend to 
more complex auctions, (e.g., there may be may goods of 
arbitrary nature — such as airwave bandwiths — , these goods 
may be divisible, and thus, for instance, the highest bid may 
take only a portion of a good, and so on.) In general it will 40 
be important to also indicate in each bid the particular, 
auction, good, and the like. 

Although the invention has been described in detail, it 
should be appreciated that the scope of the invention is 
limited only by the following claims. 45 

What is claimed is: 

1. An electronic communications method between a first 
and a second party, with assistance from at least a trusted 
party, enabling an electronic transaction in which the first 
party has a message for the second party, comprising the 50 
steps of: 

having the first party transmit to the trusted party a custom 
version of the message intelligible to the second party 
but not by the trusted party; 

in response, having the trusted party verify that the first 55 
party transmitted the custom version of the message 
and that the second party is the intended recipient 
thereof; 

having the trusted party transmit to the second party 
information that identifies the first party and from 
which the second party can retrieve the message; and 

having the trusted party transmit to the first party a 
sending receipt indicating that the message has been 
transmitted to the second party; 65 

wherein at least one of the transmissions is carried out 
electronically and the first party does not communicate 
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an encryption of the message directly to the second 
party to facilitate said electronic transaction. 

2. The electronic communications method as described in 
claim 1 wherein the first party generates the custom version 
of the message at least by encrypting the message with a key 
associated with the second party. 

3. The electronic communications method as described in 
claim 1 wherein the first party generates the custom version 
of the message at least by encrypting a value with a key 
associated with the trusted party, the value including the 
encryption of the message with a key associated with the 
second party. 

4. The electronic communications method as described in 
claim 3 wherein the value includes other information 
selected from the following; an identifier of the first party, an 
identifier of the second party, and an identifier signifying 
that the custom value is part of an electronic transaction. 

5. The electronic communications method as described in 
claim 1 wherein the information that the trusted party 
transmits to the second party includes at least an encryption 
of the message with a key associated with the second party. 

6. The electronic communications method as described in 
claim 5 wherein the information that the trusted party 
transmits to the second party includes an identifier signify- 
ing that the information is part of an electronic transaction 
and information indicating that the message was sent by the 
first party. 

7. The electronic communications method as described in 
claim 1 wherein the sending receipt includes a digital 
signature of the trusted party. 

8. The electronic communications method as described in 
claim 1 wherein the sending receipt enables the first party to 
prove the content of the message. 

9. The electronic communications method as described in 
claim 8 wherein at least one transmission is encrypted with 
a key associated with a recipient of that transmission. 

10. The electronic communications method as described 
in claim 7 wherein each transmission is encrypted with a key 
associated with a recipient of that transmission. 

11. The electronic communications method as described 
in claim 7 wherein the trusted party digitally signs informa- 
tion selected from the following: an identifier of the first 
party, an identifier the second party, an identifier signifying 
that the custom value is part of an electronic transaction, an 
encryption of the message with a key associated with the 
second party, information identifying a time when the 
trusted party transmitted the sending receipt, and informa- 
tion identifying a time when the trusted party received the 
custom version of the message. 

12. The electronic communications method as described 
in claim 11 wherein the sending receipt enables the first 
party to prove the content of the message. 

13. The electronic communications method as described 
in claim 1 wherein the at least one of the first party, the 
second party and the trusted party cooperates with a plurality 
of agents in a predetermined manner to assist in effecting the 
electronic transaction. 

14. The electronic communications method as described 
in claim 13 wherein a plurality of agents relative to one of 
the first party, the second party and the trusted party hold 
shares of a secret key of that party. 

15. The electronic communications method as described 
in claim 13 wherein the trusted party does not assist the 
transaction if there is not a plurality of agents holding shares 
of a key associated with the second party. 

16. The electronic communications method as described 
in claim 1 wherein the information transmitted from the 
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trusted party to the second party does not identify the first 
party in at least one of the transmissions to the second party. 

17. The electronic communications method as described 
in claim 1 further including the steps of: 

requesting the second party to transmit a return receipt of 5 
the message; 

if the second party does not transmit the return receipt 
within a given period of time, having the message sent 
again to the second party by a non-electronic return 
receipt method. 10 

18. The electronic communications method as described 
in claim 17 wherein at least one return receipt indicates the 
contents of the message. 

19. The electronic communications method as described 

in claim 1 wherein the trusted party does not issue a receipt 15 
considered to be valid unless the custom version of the 
message is received by the trusted party within a given time. 

20. The electronic communications method as described 
in claim 11 where the trusted party does not issue a receipt 
considered to be valid unless the custom version of the 2 o 
message is received by the trusted party within a given time. 

21. An electronic communications method between a first 
and a second party, with assistance from at least a trusted 
party, enabling an electronic transaction in which the first 
party has a message for the second first party, comprising the 25 
steps of: 

having the first party transmit to the trusted party a custom 
version of the message intelligible to the second party 
but not by the trusted party; 

in response, having the trusted party verify that the first 30 
party transmitted the custom version of the message 
and that the second party is the intended recipient 
thereof; 

having the trusted party transmit to the second party first 
information which determines the message but retains 35 
the message and the identity of the first party hidden 
from the second party; 

deterrnining whether within a given time the second party 
transmits to the trusted party a return receipt indicating ^ 
that the second party received the transmission of the 
first information from the trusted party; and 

if the second party transmits the return receipt to the 
trusted party, having the trusted party (i) transmit to the 
second party second information from which the sec- 45 
ond party, using the first and second information, can 
retrieve the message, and (ii) transmit to the first party 
a receipt that the second party has received the mes- 



wherein at least one of the transmissions is carried out 50 
electronically and the first party does not communicate 
an encryption of the message directly to the second 
party to facilitate the electronic transaction. 

22. The electronic communications method as described 

in claim 21 wherein the trusted party also transmits to the 55 
first party a sending receipt for the message. 

23. The electronic communications method as described 
in claim 21 wherein the second information also enables the 
second party to prove the identity of the first party and the 
content of the message, and at least one receipt proves the 60 
content of the message and the identity of the second party. 

24. The electronic communications method as described 
in claim 21 wherein the first party generates the custom 
version of the message at least by encrypting the message 
with a key associated with the second party. 63 

25. The electronic communications method as described 
in claim 21 wherein the first party generates the custom 



version of the message by encrypting a value with a key 
associated with the trusted party, the value including the 
encryption of the message with a key associated with the 
second party. 

26. The electronic communications method as described 
in claim 25 wherein the value includes other information 
selected from the following: an identifier of the first party, an 
identifier of the second party, and an identifier signifying 
that the custom value is part of an electronic transaction, and 
an identifier signifying a time of transmission. 

27. The electronic communications method as described 
in claim 21 wherein the second party must transmit the 
return receipt to the trusted party within a predetermined 
time period in order for the electronic transaction to be valid. 

28. The electronic communications method as described 
in claim 21 wherein after the trusted party verifies that the 
first party transmitted the custom version of the message, the 
trusted party transmits to the first party a guarantee that the 
custom version of the message has been sent to the second 
party. 

29. The electronic communications method as described 
in claim 21 wherein all of the transmissions are carried out 
electronically. 

30. The electronic communications method as described 
in claim 21 wherein the one of the first party, the second 
party and the trusted party cooperates with a plurality of 
agents in a predetermined manner to assist in effecting the 
electronic transaction. 

31. The electronic communications method as described 
in claim 30 wherein a plurality of agents relative to one of 
the first party, the second party and the trusted party hold 
shares of a secret key of that party. 

32. The electronic communications method as described 
in claim 31 wherein the trusted party does not assist the 
transaction if there is not a plurality of agents holding shares 
of a key associated with the second party. 

33. The electronic communications method as described 
in claim 21 wherein if the second party does not receive the 
second information in a given period of time, having the 
second party take additional steps to initiate a transaction 
that guarantees that the second party receives the message. 

34. An electronic communications method between a first 
and a second party, with assistance from at least a trusted 
party, enabling an electronic transaction in which the first 
party has a message for the second party but wherein the first 
party does not communicate an encryption of the message 
directly to the second party to facilitate the electronic 
transaction, comprising the steps of: 

having the first party transmit to the trusted party a version 
of the message intelligible to the second party but not 
by the trusted party; 

in response, having the trusted party verify that the first 
party transmitted the version of the message and that 
the second party is the intended recipient thereof; 

having the trusted party transmit to the second party first 
information which determines the message but retains 
the message and the identify of the first party hidden 
from the second party; 

in response, determining whether within a predetermined 
time the second party transmits to the trusted party a 
return receipt indicating that the second party received 
the transmission of the first information from the 
trusted party; 

if the second party does not transmit the return receipt 
within the predetermined time, having the trusted party 
take action to deliver the message to the second party 
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in a way to guarantee the generation of the return 
receipt. 

35. The electronic communications method as described 
in claim 34 wherein the action taken by the trusted party 
includes having the message sent to the second party by a 5 
non-electronic return receipt method. 

36. The electronic communications method as described 
in claim 34 wherein the trusted party also transmits to the 
first party at least one receipt for the message. 

37. The electronic communications method as described 10 
in claim 36 wherein the receipt obtained by the first party 
enables the first party to prove the content of the message. 

38. The electronic communications method as described 
in claim 1 wherein the message is a bid and the electronic 
transaction is an auction. 15 

39. The electronic communications method as described 
in claim 1 wherein the message is the first party's commit- 
ment to a contract and the electronic transaction is a contract 
closing. 

40. An electronic communications method between a first 20 
and a second party, with assistance from at least a trusted 
party, enabling an electronic transaction in which the first 
party has a message for the second party, comprising the step 
of: 

having the first party, the second party and the trusted 25 
party undertake an exchange of transmissions, at least 
one of which occurs electronically and in an encrypted 
manner, but where the first party does not communicate 
an encryption of the message directly to the second 
party to facilitate the electronic transaction, such that if 30 
all transmissions reach their destinations the second 
party only receives the message if the first party 
receives at least one receipt. 

41. The electronic communications method as described 
in claim 40 wherein at least one receipt received by the first 
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party enables the first party to prove the content of the 
message received by the second party. 

42. The electronic communications method as described 
in claim 41 wherein the one receipt is a return receipt 
produced by the second party. 

43. The electronic communications method as described 
in claim 42 wherein the trusted party delivers the message to 
the second party by a non-electronic return receipt method 
if the second party does not deliver electronically a return 
receipt within a given amount of time. 

44. The electronic communications method as described 
in claim 40 wherein the one of the first party, the second 
party and the trusted party cooperates with a plurality of 
agents in a predetermined manner to assist in effecting the 
electronic transaction. 

45. The electronic communications method as described 
in claim 44 wherein a plurality of agents relative to one of 
the first party, the second party and the trusted party hold 
shares of a secret key of that party. 

46. The electronic communications method as described 
in claim 45 wherein the trusted party does not assist the 
transaction if there is not a plurality of agents holding shares 
of a key associated with the second party. 

47. The electronic communications method as described 
in claim 40 wherein the message is a bid and the electronic 
transaction is an auction. 

48. The electronic communications method as described 
in claim 40 wherein the message is the first party's com- 
mitment to a contract and the electronic transaction is a 
contract closing. 

49. The electronic communications method as described 
in claim 21 wherein the first party transmits to the trusted 
party additional information before the trusted party trans- 
mits the second information to the second party. 

***** 
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